//
// exploitable_rules.h
//
// Analysis rules for the !exploitable Crash Analyzer
//
//
// Developed by the Microsoft Security Engineering Center (MSEC)
// Copyright 2008-2013, Microsoft Corporation
//
//	Microsoft Public License (Ms-PL)
//	This license governs use of the accompanying software. If you use the software, you accept this license. If you do not accept the license, do not use the software.
//
//	Definitions
//		The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning here as under U.S. copyright law. A "contribution" is the original software, or any additions or changes to the software. A "contributor" is any person that distributes its contribution under this license. "Licensed patents" are a contributor's patent claims that read directly on its contribution.
//	Grant of Rights
//		(A) Copyright Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free copyright license to reproduce its contribution, prepare derivative works of its contribution, and distribute its contribution or any derivative works that you create.
//		(B) Patent Grant- Subject to the terms of this license, including the license conditions and limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or otherwise dispose of its contribution in the software or derivative works of the contribution in the software.
//	Conditions and Limitations
//		(A) No Trademark License- This license does not grant you rights to use any contributors' name, logo, or trademarks. 
//		(B) If you bring a patent claim against any contributor over patents that you claim are infringed by the software, your patent license from such contributor to the software ends automatically. 
//		(C) If you distribute any portion of the software, you must retain all copyright, patent, trademark, and attribution notices that are present in the software. 
//		(D) If you distribute any portion of the software in source code form, you may do so only under this license by including a complete copy of this license with your distribution. If you distribute any portion of the software in compiled or object code form, you may only do so under a license that complies with this license. 
//		(E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express warranties, guarantees, or conditions. You may have additional consumer rights under your local laws which this license cannot change. To the extent permitted under your local laws, the contributors exclude the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
//

#pragma once

#include "exploitable.h"

typedef enum _PROCESSING_TYPE
{
	GATHER_DATA,
	REPORT_DATA,
	ANALYZE_DATA
} PROCESSING_TYPE;

#define DONT_CARE			0xffffffff
#define	KERNEL				1
#define USER				2
#define IN_KERNEL_MEMORY	1
#define IN_USER_MEMORY		2
#define NEAR_NULL			3
#define NOT_NEAR_NULL		4
#define FIRST_CHANCE		1
#define SECOND_CHANCE		2

typedef bool (*GATHER_FUNC) (const DEBUGGER_CONTROLS &, DEBUGGER_STATE *);
typedef void (*REPORT_PROC) (const DEBUGGER_CONTROLS &, const DEBUGGER_STATE &);
typedef bool (*ANALYSIS_FUNC) (const DEBUGGER_STATE &);

typedef struct _EXPLOITABLE_RULE
{
	PROCESSING_TYPE		eProcessingType;
	GATHER_FUNC			pfuncGatherFunction;
	REPORT_PROC			pfuncReportProcedure;

	DWORD				dwProcessorModeRule;
	DWORD				dwExceptionAddressRangeRule;
	DWORD				dwExceptionTypeRule;
	DWORD64				qwExceptionSubTypeRule;
	DWORD				dwExceptionLevelRule;

	ANALYSIS_FUNC		pfuncAnalysisFunction;

	CLASSIFICATION		eResult;
	PCWSTR				pwzDescription;
	PCWSTR				pwzShortDescription;
	PCWSTR				pwzExplanation;
	PCWSTR				pwzUrl;
	bool				fIsFinal;
} EXPLOITABLE_RULE;

#ifdef EXPLOITABLE_MODULE

// Processing syntactic sugar
#define INITIAL_GATHER_DATA			{ GATHER_DATA
#define BEGIN_GATHER_DATA			,{ GATHER_DATA
#define GATHER_FUNCTION 			,
#define END_GATHER_DATA				, NULL, DONT_CARE, DONT_CARE, DONT_CARE, DONT_CARE, DONT_CARE, NULL, UNKNOWN, NULL, NULL, NULL, NULL, false }
#define BEGIN_REPORT_DATA			,{ REPORT_DATA, NULL
#define REPORT_PROCEDURE			,
#define END_REPORT_DATA				, DONT_CARE, DONT_CARE, DONT_CARE, DONT_CARE, DONT_CARE, NULL, UNKNOWN, NULL, NULL, NULL, NULL, false }
#define BEGIN_ANALYZE_DATA			,{ ANALYZE_DATA, NULL, NULL 
#define PROCESSOR_MODE				,
#define EXCEPTION_ADDRESS_RANGE		,
#define EXCEPTION_TYPE				,
#define EXCEPTION_SUBTYPE			,
#define EXCEPTION_LEVEL				,
#define ANALYZE_FUNCTION			,
#define RESULT_CLASSIFICATION		,
#define RESULT_DESCRIPTION			,
#define RESULT_SHORTDESCRIPTION		,
#define RESULT_EXPLANATION			,
#define RESULT_URL					,
#define RESULT_IS_FINAL				,
#define END_ANALYZE_DATA			}

// The rules table for !exploitable 2.0
//
// Each rule is fired in order. If at any point a Gather function fails, we will stop processing the rules. If at any point a rule that is flagged
// as final succeeds, we will stop processing rules.
//
// Requirements: Gather Functions
//		Each gather function should be run once and only once, and is required to cache the results in the DEBUGGER_STATE object
//		it is passed. If additional state is required, the DEBUGGER_STATE object should be expanded. 
//
//		Gather functions only return false if they hit an unexpected failure. This will result in an error from !exploitable, and
//		no futher processing can be done.
//
//		The more expensive a gather function is, the later it should be done in processing. All time consuming analysis should be
//		done in the gather function and cached, rather than being done in the analysis functions
//
// Requirements: Report Procedures
//		Report procedures pass the results of gather functions out to the caller. All report procedures should honor the
//		log settings, and produce both machine readable and human results
//
// Requirements: Analysis Functions
//		Analysis functions should be as lightweight as possible, with any shared heavy calculations done in gather functions
//		that are run at the appropriate point in the rules table
//
// Rules Table Notes:
//		This is just an array of structs. The syntactic sugar exists to make it more readable for humans, however, the 
//		order is important, so do not assume that the helpful #defines let you reorder things
static EXPLOITABLE_RULE RULES[] = {

	// Gather and report the initial state of the debugger
	//
	// Note that we don't report the stack information here, because we may gather it multiple times as we find
	// better contexts within which to work. Because of this, stack information is actually reported by the rules
	// engine itself
	INITIAL_GATHER_DATA
		GATHER_FUNCTION				GatherInitialState
	END_GATHER_DATA

	BEGIN_REPORT_DATA
		REPORT_PROCEDURE			ReportInitialState
	END_REPORT_DATA

	BEGIN_GATHER_DATA
		GATHER_FUNCTION				GatherStackInformation
	END_GATHER_DATA

	// Rule: If the event in the debugger is not an exception, we are unable to continue any further with our
	//		 analysis, and we terminate
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				DONT_CARE
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsEventNotAnException
		RESULT_CLASSIFICATION		NOT_AN_EXCEPTION
		RESULT_DESCRIPTION			NULL
		RESULT_SHORTDESCRIPTION		NULL
		RESULT_EXPLANATION			L"The current event is not an exception. No further analysis will be done."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Gather and report all of the exception specific information, but do no analysis of the
	// faulting code. 
	BEGIN_GATHER_DATA
		GATHER_FUNCTION				GatherExceptionInformation
	END_GATHER_DATA

	BEGIN_REPORT_DATA
		REPORT_PROCEDURE			ReportExceptionInformation
	END_REPORT_DATA

	// Rule: If the exception is a Debugger Wake event, no further processing is necessary, something unusual has happened,
	//       we don't know what, and we don't have any way to get additional data
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_WAKE_SYSTEM_DEBUGGER
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			NULL
		RESULT_SHORTDESCRIPTION		NULL
		RESULT_EXPLANATION			L"The application has requested a Debugger Wake event. This should not happen during normal operations, and should be investigated."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Any exception in which the faulting instruction is executing from the stack is exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				DONT_CARE
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingInstructionOnStack
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Exception generated by code running in the Stack"
		RESULT_SHORTDESCRIPTION		L"StackCodeExecution"
		RESULT_EXPLANATION			L"Code execution from the stack is considered exploitable"
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Any exception in kernel mode where the faulting instruction is executing from user space is exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				DONT_CARE
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingInstructionInUserland
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Kernel Exception in Userland"
		RESULT_SHORTDESCRIPTION		L"KernelExceptionInUserland"
		RESULT_EXPLANATION			L"Any exception occurring in kernel mode where the code is in Userland is considered exploitable"
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Illegal instruction exceptions indicate that program flow has been controlled by an attacker
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ILLEGAL_INSTRUCTION
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Illegal Instruction Violation"
		RESULT_SHORTDESCRIPTION		L"IllegalInstruction"
		RESULT_EXPLANATION			L"An illegal instruction exception indicates that the attacker controls execution flow."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Privileged  instruction exceptions indicate that program flow has been controlled by an attacker
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_PRIVILEGED_INSTRUCTION
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Privileged Instruction Violation"
		RESULT_SHORTDESCRIPTION		L"PrivilegedInstruction"
		RESULT_EXPLANATION			L"A privileged instruction exception indicates that the attacker controls execution flow."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: All Guard Page exceptions must be fixed
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_GUARD_PAGE_VIOLATION
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Guard Page Violation"
		RESULT_SHORTDESCRIPTION		L"GuardPage"
		RESULT_EXPLANATION			NULL
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Stack Buffer Overruns (/GS Exceptions) must be fixed
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_STACK_BUFFER_OVERRUN
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Stack Buffer Overrun (/GS Exception)"
		RESULT_SHORTDESCRIPTION		L"GSViolation"
		RESULT_EXPLANATION			L"An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Heap Corruption is considered exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_HEAP_CORRUPTION
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Heap Corruption"
		RESULT_SHORTDESCRIPTION		L"HeapCorruption"
		RESULT_EXPLANATION			L"Heap Corruption has been detected. This is considered exploitable, and must be fixed."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: All DEP violations in kernal mode are exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_DEP
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Kernel Mode Data Execution Prevention Violation"
		RESULT_SHORTDESCRIPTION		L"DEPViolation"
		RESULT_EXPLANATION			L"All kernel mode DEP access violations are exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: DEP violations in user mode are exploitable if not near null
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NOT_NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_DEP
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Data Execution Prevention Violation"
		RESULT_SHORTDESCRIPTION		L"DEPViolation"
		RESULT_EXPLANATION			L"User mode DEP access violations are exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: AVs at the instruction pointer are exploitable if in kernel mode
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingAddressInstructionPointer
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Kernel Mode Read Access Violation at the Instruction Pointer"
		RESULT_SHORTDESCRIPTION		L"ReadAVonIP"
		RESULT_EXPLANATION			L"All kernel access violations at the instruction pointer are exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: AVs at the instruction pointer are exploitable if not near null in user mode
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NOT_NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingAddressInstructionPointer
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Read Access Violation at the Instruction Pointer"
		RESULT_SHORTDESCRIPTION		L"ReadAVonIP"
		RESULT_EXPLANATION			L"Access violations at the instruction pointer are exploitable if not near NULL."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Gather information on the exception chain
	BEGIN_GATHER_DATA
		GATHER_FUNCTION				GatherExceptionChainInformation
	END_GATHER_DATA

	// Rule: Corrupted exception handler chains are always exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				DONT_CARE
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			WasExceptionHandlerChainCorrupted
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Exception Handler Chain Corrupted"
		RESULT_SHORTDESCRIPTION		L"ExceptionHandlerCorrupted"
		RESULT_EXPLANATION			L"Corruption of the exception handler chain is considered exploitable"
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: DEP violations in user mode are probably exploitable if near null
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_DEP
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Data Execution Prevention Violation near NULL"
		RESULT_SHORTDESCRIPTION		L"DEPViolation"
		RESULT_EXPLANATION			L"User mode DEP access violations are probably exploitable if near NULL."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: AVs at the instruction pointer are probably exploitable if near null in user mode
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingAddressInstructionPointer
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Read Access Violation Near Null at the Instruction Pointer"
		RESULT_SHORTDESCRIPTION		L"ReadAVonIP"
		RESULT_EXPLANATION			L"Access violations at the instruction pointer are probably exploitable if near NULL."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA



	// Gather and report the faulting instruction
	BEGIN_GATHER_DATA
		GATHER_FUNCTION				GatherFaultingInstruction
	END_GATHER_DATA


	// Rule: check if the instruction pointer can be un assembled if not, execution is way off.
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			CanFaultingInstructionNotBeDisassebled
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Cannot disassemble instruction"
		RESULT_SHORTDESCRIPTION		L"ReadAvOnIP"
		RESULT_EXPLANATION			L"There is no memory backing the instruction pointer. Disassembly of instruction failed."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA





	BEGIN_REPORT_DATA
		REPORT_PROCEDURE			ReportFaultingInstruction
	END_REPORT_DATA

	// Some combinations of instructions and exceptionsare more logically handled by 
	// translating the exception. For example, a Write AV on a Push at the stack guard page
	// is effectively a stack overflow.

	BEGIN_GATHER_DATA
		GATHER_FUNCTION				GatherExceptionOverridesBasedOnFaultingInstruction
	END_GATHER_DATA

	// Rule: All user mode Write Access violations are exploitable if not near null
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NOT_NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_WRITE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"User Mode Write AV"
		RESULT_SHORTDESCRIPTION		L"WriteAV"
		RESULT_EXPLANATION			L"User mode write access violations that are not near NULL are exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	

	// Rule: Kernel mode first chance write exceptions are exploitable if the address is in kernel memory
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		IN_KERNEL_MEMORY
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_WRITE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Write Access Violation in Kernel Memory"
		RESULT_SHORTDESCRIPTION		L"WriteAV"
		RESULT_EXPLANATION			L"All kernel mode write access violations in kernel memory are exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Kernel mode second chance write exceptions are exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_WRITE
		EXCEPTION_LEVEL				SECOND_CHANCE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Write Access Violation in Kernel Mode"
		RESULT_SHORTDESCRIPTION		L"WriteAV"
		RESULT_EXPLANATION			L"All kernel mode second chance write access violations are exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: AVs on control flow are considered exploitable in the kernel
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingInstructionControlFlow
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Kernel Read Access Violation on Control Flow"
		RESULT_SHORTDESCRIPTION		L"ReadAVonControlFlow"
		RESULT_EXPLANATION			L"All kernel access violations in control flow instructions are considered exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: AVs on control flow are considered exploitable in user mode if not near null
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NOT_NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingInstructionControlFlow
		RESULT_CLASSIFICATION		EXPLOITABLE
		RESULT_DESCRIPTION			L"Read Access Violation on Control Flow"
		RESULT_SHORTDESCRIPTION		L"ReadAVonControlFlow"
		RESULT_EXPLANATION			L"Access violations not near null in control flow instructions are considered exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: AVs on control flow are considered probably exploitable in user mode if near null
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingInstructionControlFlow
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Read Access Violation on Control Flow"
		RESULT_SHORTDESCRIPTION		L"ReadAVonControlFlow"
		RESULT_EXPLANATION			L"Access violations near null in control flow instructions are considered probably exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Read AVS in a block move are considered probably exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingInstructionBlockDataMove
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Read Access Violation on Block Data Move"
		RESULT_SHORTDESCRIPTION		L"ReadAVonBlockMove"
		RESULT_EXPLANATION			L"This is a read access violation in a block data move, and is therefore classified as probably exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Read AVS in a block move are considered probably exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		IN_KERNEL_MEMORY
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsFaultingInstructionBlockDataMove
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Kernel Memory Read Access Violation on Block Data Move"
		RESULT_SHORTDESCRIPTION		L"ReadAVonBlockMove"
		RESULT_EXPLANATION			L"This is a read access violation in a kernel memory block data move, and is therefore classified as probably exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Rule: Read AVS in a block move are considered probably exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		IN_USER_MEMORY
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				SECOND_CHANCE
		ANALYZE_FUNCTION			IsFaultingInstructionBlockDataMove
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Memory Read Access Violation on Block Data Move"
		RESULT_SHORTDESCRIPTION		L"ReadAVonBlockMove"
		RESULT_EXPLANATION			L"This is a second chance read access violation in a kernel mode block data move, and is therefore classified as probably exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// Gather and report the basic block
	BEGIN_GATHER_DATA
		GATHER_FUNCTION				GatherBasicBlock
	END_GATHER_DATA

	BEGIN_GATHER_DATA
		GATHER_FUNCTION				GatherTaintInformation
	END_GATHER_DATA

	BEGIN_REPORT_DATA
		REPORT_PROCEDURE			ReportBasicBlock
	END_REPORT_DATA

	// Rule: Tainted information used to control branch addresses is considered probably exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsTaintedDataUsedToDetermineBranchTarget
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Data from Faulting Address controls Code Flow"
		RESULT_SHORTDESCRIPTION		L"TaintedDataControlsCodeFlow"
		RESULT_EXPLANATION			L"The data from the faulting address is later used as the target for a branch."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA
	
	// Rule: Tainted information used to control the target of a later write is probably exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsTaintedDataUsedInALaterWrite
		RESULT_CLASSIFICATION		PROBABLY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Data from Faulting Address controls subsequent Write Address"
		RESULT_SHORTDESCRIPTION		L"TaintedDataControlsWriteAddress"
		RESULT_EXPLANATION			L"The data from the faulting address is later used as the target for a later write."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	// 
	// Terminal Unknown Rules
	//
	// These are rules where we have deterined that they are going to require human analysis, and we're going to end
	// further evaluation 
	//

	// Rule: Application Verifier Stops are called out as unknown
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				DONT_CARE
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			WasApplicationVerifierStopDetected
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Application Verifier Stop"
		RESULT_SHORTDESCRIPTION		L"AppVerifierStop"
		RESULT_EXPLANATION			L"An Application Verifier Stop was detected, but no additional security details could be determined. This fault must be manually investigated."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA


	//
	// Probably Not Exploitable Terminal Rules
	//
	// These are rules where further analysis has shown that it isn't worth human evaluation, even if there
	// are other mitigating circumstances
	//

	// Rule: User Mode Read AVs near null are considered probably not exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		NOT_LIKELY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Read Access Violation near NULL"
		RESULT_SHORTDESCRIPTION		L"ReadAVNearNull"
		RESULT_EXPLANATION			L"This is a user mode read access violation near null, and is probably not exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				true
	END_ANALYZE_DATA

	//
	// All non-final rules should be evaulated here. Please note that execution order is very important,
	// as each successive rule could override a previous rules results
	//

	// 
	// Probably Not Exploitable Non-Terminal Rules
	//

	// Rule: First chance read AVs from user memory in the kernel are not considered exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		IN_USER_MEMORY
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				FIRST_CHANCE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		NOT_LIKELY_EXPLOITABLE
		RESULT_DESCRIPTION			L"First Chance Kernel Read Access Violation in User Memory"
		RESULT_SHORTDESCRIPTION		L"ReadAV"
		RESULT_EXPLANATION			L"This is a kernel mode first chance read access violation in user memory, and is probably not exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: First chance write AVs from user memory in the kernel are not considered exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		IN_USER_MEMORY
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_WRITE
		EXCEPTION_LEVEL				FIRST_CHANCE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		NOT_LIKELY_EXPLOITABLE
		RESULT_DESCRIPTION			L"First Chance Kernel Write Access Violation in User Memory"
		RESULT_DESCRIPTION			L"WriteAV"
		RESULT_EXPLANATION			L"This is a kernel mode first chance write access violation in user memory, and is probably not exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Divide By Zero is not considered exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_INTEGER_DIVIDE_BY_ZERO
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		NOT_LIKELY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Integer Divide By Zero"
		RESULT_SHORTDESCRIPTION		L"DivideByZero"
		RESULT_EXPLANATION			L"This is a divide by zero, and is probably not exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Divide By Zero is not considered exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_FLOAT_DIVIDE_BY_ZERO
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		NOT_LIKELY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Float Divide By Zero"
		RESULT_SHORTDESCRIPTION		L"DivideByZero"
		RESULT_EXPLANATION			L"This is a divide by zero, and is probably not exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Stack exhaustion is not considered exploitable
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_STACK_OVERFLOW
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		NOT_LIKELY_EXPLOITABLE
		RESULT_DESCRIPTION			L"Stack Exhaustion"
		RESULT_SHORTDESCRIPTION		L"StackExhaustion"
		RESULT_EXPLANATION			L"Stack Exhaustion is considered to be probably not exploitable."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	//
	// Unknown Exploitability Non-Terminal Rules
	//

	// Rule: All user mode Write Access violations are UNKNOWN if near null
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_WRITE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"User Mode Write AV near NULL"
		RESULT_SHORTDESCRIPTION		L"WriteAVNearNull"
		RESULT_EXPLANATION			L"User mode write access violations that are near NULL are unknown."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Breakpoints are considered probably not exploitable, but should not occur in production code
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_WX86_BREAKPOINT
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Breakpoint"
		RESULT_SHORTDESCRIPTION		L"Breakpoint"
		RESULT_EXPLANATION			L"While a breakpoint itself is probably not exploitable, it may also be an indication that an attacker is testing a target. In either case breakpoints should not exist in production code."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Breakpoints are considered probably not exploitable, but should not occur in production code
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_BREAKPOINT
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Breakpoint"
		RESULT_SHORTDESCRIPTION		L"Breakpoint"
		RESULT_EXPLANATION			L"While a breakpoint itself is probably not exploitable, it may also be an indication that an attacker is testing a target. In either case breakpoints should not exist in production code."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Bug checks that we don't have special case handling for should be called out separately
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_BREAKPOINT
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			WasBugCheckDetected
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"BugCheck"
		RESULT_SHORTDESCRIPTION		L"BugCheck"
		RESULT_EXPLANATION			L"A BugCheck was detected, but no further information about the severity could be determined."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: If the stack contains unknown symbols in user mode, call that out
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				USER
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				DONT_CARE
		EXCEPTION_SUBTYPE			DONT_CARE
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			DoesStackTraceContainUnknownFunctions
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Possible Stack Corruption"
		RESULT_SHORTDESCRIPTION		L"PossibleStackCorruption"
		RESULT_EXPLANATION			L"The stack trace contains one or more locations for which no symbol or module could be found. This may be a sign of stack corruption."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA
	
	// Rule: Kernel Mode Read AVs near NULL are considered to have an unknown exploitability
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		NEAR_NULL
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			NULL
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Kernel Read Access Violation near NULL"
		RESULT_SHORTDESCRIPTION		L"ReadAVNearNull"
		RESULT_EXPLANATION			L"This is a kernel mode read access violation near null."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Tainted information used to control the source of a later block move unknown, but called out explicitly
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsTaintedDataUsedAsSourceForBlockDataMove
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Data from Faulting Address is used in a subsequent Block Data Move"
		RESULT_SHORTDESCRIPTION		L"TaintedDataUsedInBlockMove"
		RESULT_EXPLANATION			L"The data from the faulting address is later used as the input for a later block data move."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: First Chance Read AVS in a block move in the kernel are called out as unknown
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				KERNEL
		EXCEPTION_ADDRESS_RANGE		IN_USER_MEMORY
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				FIRST_CHANCE
		ANALYZE_FUNCTION			IsFaultingInstructionBlockDataMove
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Memory Read Access Violation on Block Data Move"
		RESULT_SHORTDESCRIPTION		L"ReadAVonBlockMove"
		RESULT_EXPLANATION			L"This is a first chance read access violation in a kernel mode block data move. If the attacker controls the size of the move, this may represent a security issue."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Tainted information used as an argument to a function is an unknown risk, but called out explicitly
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsTaintedDataUsedAsAFunctionArgument
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Data from Faulting Address is used as one or more arguments in a subsequent Function Call"
		RESULT_SHORTDESCRIPTION		L"TaintedDataPassedToFunction"
		RESULT_EXPLANATION			L"The data from the faulting address is later used as one or more of the arguments to a function call."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA

	// Rule: Tainted information returned from a function is an unknown risk, but called out explicitly
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsTaintedDataUsedAsAFunctionRetVal
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Data from Faulting Address may be used as a return value"
		RESULT_SHORTDESCRIPTION		L"TaintedDataReturnedFromFunction"
		RESULT_EXPLANATION			L"The data from the faulting address may later be used as a return value from this function."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA


	// Rule: Tainted information used to control branch selection is an unknown risk, but called out explicitly
	BEGIN_ANALYZE_DATA
		PROCESSOR_MODE				DONT_CARE
		EXCEPTION_ADDRESS_RANGE		DONT_CARE
		EXCEPTION_TYPE				STATUS_ACCESS_VIOLATION
		EXCEPTION_SUBTYPE			ACCESS_VIOLATION_TYPE_READ
		EXCEPTION_LEVEL				DONT_CARE
		ANALYZE_FUNCTION			IsTaintedDataUsedToDetermineBranchSelection
		RESULT_CLASSIFICATION		UNKNOWN
		RESULT_DESCRIPTION			L"Data from Faulting Address controls Branch Selection"
		RESULT_SHORTDESCRIPTION		L"TaintedDataControlsBranchSelection"
		RESULT_EXPLANATION			L"The data from the faulting address is later used to determine whether or not a branch is taken."
		RESULT_URL					NULL
		RESULT_IS_FINAL				false
	END_ANALYZE_DATA
};
#endif
